1. National Policy Guidance for Protecting NASA Space Systems Randy Seftas Code 599.0, Mission Engineering and Systems Analysis Division E-Mail: george.r.seftas@nasa.gov Phone: 301-286-5765

2. 2010 National Space Policy (Protection) Principles The United States will employ a variety of measures to help assure the use of space for all responsible parties, and, consistent with the inherent right of self-defense, deter others from interference and attack, defend our space systems and contribute to the defense of allied space systems, and, if deterrence fails, defeat efforts to attack them. Goals Increase assurance and resilience of mission-essential functions enabled by commercial, civil, scientific, and national security spacecraft and supporting infrastructure against disruption, degradation, and destruction, whether from environmental, mechanical, electronic, or hostile causes. Inter-Sector Guidelines Assurance and Resilience of Mission-Essential Functions. The US shall: Assure space-enabled mission-essential functions by developing the techniques, measures, relationships, and capabilities necessary to maintain continuity of services Such efforts may include enhancing the protection and resilience of selected spacecraft and supporting infrastructure Develop and exercise capabilities and plans for operating in and through a degraded, disrupted, or denied space environment for the purposes of maintaining mission-essential functions Address mission assurance requirements and space system resilience in the acquisition of future space capabilities and supporting infrastructure

3. Protection Categories NASA’s existing protection policies and requirements basically fall into two very distinct (and in some cases, mutually exclusive) categories, which are: Protecting the terrestrial and space environments from naturally occurring events, and activities associated with the operation of NASA space systems. This protection category is strategic in nature and delineates environmental policies and requirements for protection domains ranging from any place on the Earth to planets in our solar system. Earth Environment - The Earth or terrestrial environment protection domain includes subsea regions, the surface of the planet and extends out 50 statute miles above mean sea level (MSL). Near Earth Space – The near Earth space protection domain begins at 50 statute miles above MSL and extends out to geosynchronous orbit altitude (approximately 22,300 miles). This protection domain includes the area of space that has the highest concentration of orbiting man-made satellites and launch vehicle upper stages. Interplanetary Space – The interplanetary space protection domain begins at geosynchronous orbit altitude and extends beyond our solar system. This domain includes spacecraft orbiting around the Moon and planets. Protecting NASA space assets from intentional or unintentional disruption, exploitation or attack, whether natural or man-made is the second NASA protection category. This category delineates policies to achieve sustained mission assurance/survivability of NASA space systems through the reduction of susceptibilities and the mitigation of vulnerabilities.

4. Environmental Protection Policy Decomposition (Terrestrial)

5. Space Asset Protection Policy Decomposition (Ground Segment) Analysis –Space Asset Protection Policies and Requirements (Ground Segment) Institutional Security – The national space policy does not specifically provide guidance on protecting the ground segment of US space systems, even though there are interagency issues regarding this topic, such as critical commercial infrastructure support to NASA space flight Centers. NASA has policy directives and requirements documents that provide guidance on implementing institutional security disciplines to protect the Agency’s people and property however, this guidance is more focused on providing institutional security for large NASA organizations, i.e., Headquarters, Centers and Flight Facilities. What is really needed is a more tailored security focus on the high value missions that the Agency acquires and flies.

7. NASA Example: A hard drive that contained an old version of the AQUA flight software was stolen from the AQUA/AURA hardware/software flight simulator (which is a critical node and single point-of-failure for the AQUA/AURA operational space systems).

8. Physical security was inadequate as there were two entrances to the simulator room and only one entrance required a key card.

9. IT security was inadequate since the very sensitive software on the hard drive could be downloaded to personal computers owned by personnel working in the lab.

10. Asymmetric Attack on Critical Commercial Infrastructure – Negates a space system’s mission performance by attacking it’s supporting commercial infrastructure.

11. NASA Example: An aerial fiber-optic cable that supports space operations from buildings 3, 13 and 14 at GSFC crosses Greenbelt road from the manhole trunk main-7 (single point-of-failure) and is susceptible to traffic accidents, weather and sabotage.

12. Open Source Example: For the fourth time in a week, an undersea communications cable has apparently been cut (or "failed due to a power outage," as some sources suggest), and while no official reports of subversion have surfaced just yet, things are beginning to get suspicious.Agency Approval Project Formulation Project Implementation Phase E: Phase B: Phase D: System Phase F: Phase A: Concept Phase C: Final Pre - Phase A: Operations and Preliminary Design Assembly, Closeout and Technology Design and Concept Studies Sustainment &Technology Integration, Test Development Fabrication Completion and Launch Affected Phases of a Typical Mission’s Lifecycle

13. Space Asset Protection Policy Decomposition (Comm/Info Segment) Analysis –Space Asset Protection Policies and Requirements (Comm/Info Segment) Information Systems and Network Security – Much like the other NASA institutional security disciplines the Agency’s IT Security organizations are focused on providing IT security for large NASA groups, i.e., Headquarters, Centers and Flight Facilities. What is really needed is a more tailored IT security focus on the projects that the Agency acquires and flies so as to counter Computer Network Attacks (CNA) and Exploitations (CNE) against these high-value space assets

15. Open Press Example: "While the Fort Belvoir site was the only downlink for the KH-11, additional sites were apparently in Hawaii and Europe"...“ In contrast, the signals from the LACROSSE/VEGA system are relayed via NASA's Tracking and Data Relay Satellites (TDRS), of which there are three in orbit. The signals are then transmitted to a ground station at White Sands, New Mexico.

16. Open Press Example: “The U.S. Navy is leading an initiative to exploit advanced new NASA and commercial environmental satellite imagery and data to aid time-critical strike planning-including weapons selection-for Afghanistan and potential other target areas in the Middle East, such as Iraq”.

17. Computer Network Exploitation - operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks

18. Open Press Example: Officials at APL discovered "penetration from an unwanted source" last year on its external Web site, prompting them to take the site offline. APL officials are trying to figure out exactly what information was accessed.Agency Approval Project Formulation Project Implementation Phase E: Phase B: Phase D: System Phase F: Phase A: Concept Phase C: Final Pre - Phase A: Operations and Preliminary Design Assembly, Closeout and Technology Design and Concept Studies Sustainment &Technology Integration, Test Development Fabrication Completion and Launch Affected Phases of a Typical Mission’s Lifecycle

20. Open Press Example: Telstar-12 was successfully jammed while attempting to broadcast a Persian news TV program into Iran under the stewardship of the State Department. The U.S. was able to trace the jamming signal to Bejucal - the former Soviet signals intelligence base in Cuba. Despite protests from the State Department Cuba continued to allow the Iranian diplomatic presence in Cuba to jam Telstar-12 for weeks.

21. Open Press Example: Libya has waged a jamming war against the West in a successful effort to stop an opposition radio station and also blocked dozens of television and radio stations in Europe.

22. Command Link Intrusions - Only 3 NASA space systems provide protection for their command links, i.e., Space Station, Shuttle and the TDRSS

23. Civil Space Examples: Between November 2007 and October 2008 the Terra and Landsat-7 spacecraft experienced four command link intrusion attempts. These attempts all occurred in the Arctic region close to the Svalbard Archipelago. The source of the intruder was never attributed.Agency Approval Project Formulation Project Implementation Phase E: Phase B: Phase D: System Phase F: Phase A: Concept Phase C: Final Pre - Phase A: Operations and Preliminary Design Assembly, Closeout and Technology Design and Concept Studies Sustainment &Technology Integration, Test Development Fabrication Completion and Launch Affected Phases

25. Open Press Example: "The Tamil Tigers in Sri Lanka have been hacking the Intelsat that hangs over the Indian Ocean to transmit propaganda. Intelsat is trying very hard to figure out how they did it, and then keep them from doing it again”.

26. Open Press Example: “Members of a hacking group called the Masters of Downloading claim to have broken into a Pentagon network and stolen software that allows them to control a military satellite system. They threaten to sell the software to terrorists. The Pentagon denies that the software is classified or that it would allow the hackers to control their satellites, but later admits that a less-secure network containing "sensitive" information had been compromised”.

27. Open Press Example: One Federal Government agency warned, “One person with a computer, a modem, and a telephone line anywhere in the world can potentially…cause a power outage in an entire region.” At about the same time this statement was made, a computer hacker publicly announced that he would release a document outlining how to break into power company networks and shut down the power grids of 30 United States utility companiesAgency Approval Project Formulation Project Implementation Phase E: Phase B: Phase D: System Phase F: Phase A: Concept Phase C: Final Pre - Phase A: Operations and Preliminary Design Assembly, Closeout and Technology Design and Concept Studies Sustainment &Technology Integration, Test Development Fabrication Completion and Launch Affected Phases of a Typical Mission’s Lifecycle

28. Space Asset Protection Policy Decomposition (Space System) Analysis –Space Asset Protection Policies and Requirements (Space System) Protection of Space Systems – NASA does not have any policies or requirements that address the protection of space systems and their supporting infrastructures. Assurance and Resilience – NASA does not have any policies or requirements that directly complies with the mission assurance guidance in the national space policy.

29. Recommendations to Close Protection Gaps Tailor the implementation of institutional security (physical, personnel, operational) functions to space mission criticality, guided by: NPR 7120.5 - Projects are either Category 1, 2, or 3 and are assigned to a category based initially on: The project life-cycle cost (LCC) estimate, the use of nuclear power sources, and whether or not the system being developed is for human space flight Priority level, which is related to the importance of the activity to NASA, the extent of international participation (or joint effort with other government agencies), the degree of uncertainty surrounding the application of new or untested technologies, and spacecraft/ payload development risk classification NPR 8705.4 - Classification levels define a hierarchy of risk combinations for NASA payloads by considering such factors as criticality to the Agency Strategic Plan, national significance, availability of alternative research opportunities, success criteria, magnitude of investment, etc. Tailor the implementation of IT security functions guided by: NPR 7150.2 - NASA-wide definitions for software classes are based on: Usage of the software with or within a NASA system Criticality of the system to NASA's major programs and projects Extent to which humans depend upon the system Developmental and operational complexity Extent of the Agency's investment

30. Recommendations to Close Protection Gaps (cont) Increase NASA’s interaction with other US Govt Agencies and Departments to protect the our ground segment mission facilities Greater collaboration between NASA and DHS to identify our mission’s critical nodes and single points-of-failure It is DHS’ responsibility to protect the critical commercial infrastructures that support NASA facilities Prioritize the allocation of law enforcement resources to protect the Agency’s highest priority sites when intelligence information indicates an elevated threat Review and expand Agency guidance (policy/requirements) on the protection of communications links Communications security (COMSEC) requirements are currently found in NPR 2810.1, Security of Information Technology Wrong NPR for COMSEC requirements – there are significant differences between the COMSEC and IT security disciplines COMSEC requirements currently found in NPR 2810.1 only address encryption as a means of protecting communication links and overlook other technical approaches Be proactive in addressing the growing threats of electromagnetic interference and jamming NASA’s existing policies and requirements may quickly become outdated by new technology, proliferation, criminal activity.